ChecklistEU

EU Digital Services Act Checklist

Use this checklist to translate the DSA into service-tier decisions, operating controls, publication duties, and evidence records.

It separates all intermediary-service duties from hosting, online platform, marketplace, and VLOP/VLOSE obligations so teams do not apply the wrong control set.

Back to main artifactReview sources
Author
Sorena AI
Published
May 9, 2026
Updated
May 9, 2026
Sections
6

Structured answer sets in this page tree.

Primary sources
5

Cited legal and guidance references.

Publication metadata
Sorena AI
Published May 9, 2026
Updated May 9, 2026
Overview

The Digital Services Act applies in layers. Start by classifying the service: intermediary service, hosting service, online platform, online platform allowing consumers to conclude distance contracts with traders, online search engine, or designated VLOP/VLOSE. Then apply only the duties that match that layer and keep evidence showing why each obligation was included or excluded.

Section 1

1. Classify the DSA service tier first

Record the service model before building controls. The DSA defines intermediary services to include mere conduit, caching, and hosting. A hosting service stores information provided by and at the request of a recipient. An online platform is a hosting service that stores and disseminates recipient-provided information to the public, unless dissemination is only a minor and purely ancillary feature.

Also record whether the service offers online search, presents ads, uses recommender systems, is accessible to minors, or lets consumers conclude distance contracts with traders. Those facts determine which later checklist items apply.

  • Service tier: mere conduit, caching, hosting, online platform, online marketplace, online search engine, or designated VLOP/VLOSE.
  • EU nexus: recipients are established or located in the Union, or the service otherwise targets one or more Member States.
  • Platform facts: user-generated public dissemination, complaint flows, ads, recommender systems, minors, trader transactions, and moderation tooling.
  • VLOP/VLOSE screen: online platforms and online search engines at or above 45 million average monthly active recipients in the Union require Commission designation before the enhanced VLOP/VLOSE layer applies.
  • Evidence to keep: classification memo, product screenshots, user-flow notes, EU targeting evidence, active-recipient calculation support, and the obligation matrix approved by legal and product owners.
Sources for this answer
Regulation (EU) 2022/2065 (Digital Services Act)
Supports the layered DSA service definitions, EU scope rule, and VLOP/VLOSE active-recipient threshold.
European Commission - DSA: Very large online platforms and search engines
Explains that the most stringent DSA obligations apply to platforms and search engines with more than 45 million monthly EU users after designation.
Section 2

2. Build notice-and-action and moderation records

Hosting services need an electronic mechanism for any individual or entity to notify specific items of allegedly illegal content. The notice form should collect enough information for the provider to identify the content and assess illegality without turning the form into a general complaint inbox.

When a notice includes electronic contact details, the provider should be able to acknowledge receipt, notify the submitter of the decision, and explain redress options. Moderation decisions should be logged whether they come from a notice, own-initiative review, automated detection, a trusted flagger, or an authority order.

  • Notice form fields: alleged illegal-content explanation, exact electronic location such as URL, submitter name and email where required, and bona fide accuracy statement.
  • Operations checks: receipt acknowledgement, decision notice, escalation for trusted-flagger notices, and separate handling of authority orders under the DSA order provisions.
  • Moderation log fields: content identifier, reporter type, detection method, legal or terms basis, action taken, territorial scope, duration, automation used, human review status, and redress links sent.
  • Criminal-offence escalation: hosting services need a route to notify law-enforcement or judicial authorities when information gives rise to suspicion of an offence involving a threat to life or safety.
  • Evidence to keep: notice schema, sample acknowledgements, moderation decision records, trusted-flagger queue rules, authority-order handling records, and law-enforcement escalation approvals.
Sources for this answer
Regulation (EU) 2022/2065 (Digital Services Act)
Supports Article 16 notice-and-action fields, Article 17 moderation explanations, trusted-flagger priority, and criminal-offence notification duties.
Section 3

3. Issue statements of reasons and submit platform statements

Hosting services must give affected recipients a clear and specific statement of reasons when they restrict content, payments, service access, or an account because user-provided information is illegal or incompatible with terms. The record should be specific enough for the user to understand and challenge the decision.

Online platforms have an extra publication workflow: Article 24(5) requires statements of reasons to be sent to the Commission's DSA Transparency Database, without personal data.

  • Statement content: restriction type, territorial scope and duration where relevant, facts and circumstances, whether a notice or own-initiative review triggered the decision, automation used, legal or contractual ground, and redress options.
  • Platform database submission: remove personal data, map fields to the database schema, choose API or webform submission, and reconcile rejected or failed submissions.
  • Quality check: the statement should not rely on generic policy labels alone; it should connect the moderated item to the specific legal or terms basis.
  • Evidence to keep: statement templates, field mapping, redaction rules, submission logs, failed-submission remediation, and sampled statements reviewed for specificity.
Sources for this answer
Regulation (EU) 2022/2065 (Digital Services Act)
Supports the required content of statements of reasons and Article 24(5) submission to the Commission database.
European Commission - DSA Transparency Database Q&A
Explains which providers submit statements of reasons, what the database contains, and the API or webform submission options.
Section 4

4. Run complaints, dispute settlement, and transparency reporting

Online platforms need an internal complaint-handling system for moderation and account decisions covered by Article 20. The complaint path should be electronic, free of charge, easy to access, and supervised by qualified staff rather than decided solely by automation.

Transparency reporting should be built from operational logs, not reconstructed manually at publication time. The report data needs to separate authority orders, notices, own-initiative moderation, automation, complaints, out-of-court disputes, and misuse suspensions where those categories apply.

  • Complaint records: original decision, date the user was informed, complaint grounds, reviewer, outcome, reversal status, reasoned response, and out-of-court dispute-settlement information sent to the user.
  • Transparency report records: content-moderation measures, orders from judicial or administrative authorities, notices from users and trusted flaggers, removals or restrictions, automated-means accuracy and error indicators, complaints, dispute outcomes, and misuse suspensions.
  • Publication cadence: all providers of intermediary services covered by Article 15 reporting publish at least annually, while VLOPs and VLOSEs have additional six-month transparency reporting expectations.
  • Template alignment: use the Commission implementing regulation templates for harmonised DSA transparency reports when those templates apply.
  • Evidence to keep: complaint queue exports, review training records, dispute-settlement notices, report data lineage, template mapping, publication approval, and archived public reports.
Sources for this answer
Regulation (EU) 2022/2065 (Digital Services Act)
Supports internal complaint-handling duties, out-of-court dispute information, and Article 15 and 24 reporting categories.
European Commission - How the Digital Services Act enhances transparency online
Summarises annual transparency reports, six-month VLOP/VLOSE reports, statements of reasons, and risk and audit publication expectations.
Implementing Regulation (EU) 2024/2835 on DSA transparency reporting templates
Provides the harmonised DSA transparency reporting templates and reporting-format requirements.
Section 5

5. Check ads, recommenders, minors, and marketplace trader traceability

Online platforms that present ads need real-time ad disclosures. Platforms that use recommender systems need plain-language terms explaining the main parameters and user options to modify or influence them. Platforms accessible to minors need proportionate privacy, safety, and security measures and must not use profiling-based ads when they know with reasonable certainty that the recipient is a minor.

Marketplaces and other online platforms allowing consumers to conclude distance contracts with traders need a trader traceability workflow before traders can offer products or services to EU consumers.

  • Ad disclosures: label the item as an advertisement, identify on whose behalf it is shown, identify who paid if different, and provide meaningful information about the main targeting parameters and how to change them where applicable.
  • Ad prohibitions: block ad targeting based on profiling using special-category personal data, and block profiling-based ads to known minors.
  • Recommender controls: publish main parameters in terms, explain why information is suggested, and provide directly accessible controls when users can select or modify recommender options.
  • Trader traceability: collect trader contact details, identification, payment-account details, register information where applicable, and a self-certification to offer only compliant products or services.
  • Marketplace checks: assess whether trader information is reliable and complete, request corrections when information is inaccurate or outdated, suspend traders who do not remedy required information, and display required trader information to consumers.
  • Evidence to keep: ad disclosure screenshots, targeting-parameter documentation, recommender parameter inventory, minor-protection decisions, trader onboarding records, database or document checks, correction requests, suspensions, and consumer-facing trader disclosures.
Sources for this answer
Regulation (EU) 2022/2065 (Digital Services Act)
Supports the DSA duties for online ads, recommender-system transparency, protection of minors, trader traceability, and marketplace compliance-by-design.
Section 6

6. Add the VLOP/VLOSE layer only when designated

Do not treat a high-traffic service as a VLOP or VLOSE solely because it is large. The enhanced layer applies to online platforms and online search engines that meet the DSA active-recipient threshold and are designated by the Commission. Once designated, the checklist expands from content-moderation operations into systemic-risk governance.

The VLOP/VLOSE evidence set should be board-level and audit-ready because it includes risk assessments, mitigation measures, compliance functions, independent audits, data access duties, recommender options, and advertisement repositories.

  • Designation trigger: monitor average monthly active recipients in the Union and Commission designation status for each platform or search service.
  • Risk assessment: assess systemic risks from service design, algorithmic systems, content moderation, terms enforcement, ad systems, and data practices.
  • Mitigation controls: document proportionate measures for identified risks, including changes to interfaces, terms, moderation, recommender systems, ad systems, resources, trusted-flagger cooperation, and child-protection tools where relevant.
  • Audit and publication: arrange annual independent audits and publish risk assessment, audit, mitigation, audit implementation, and consultation information where required.
  • Data and transparency: maintain processes for Commission and Digital Services Coordinator access, vetted researcher access, non-profiling recommender options, and a public ad repository.
  • Evidence to keep: designation notices, AMAR calculations, risk assessment files, mitigation decisions, compliance-function records, audit reports, auditor recommendations, implementation reports, data-access handling, researcher-request logs, recommender option tests, and ad repository exports.
Sources for this answer
Regulation (EU) 2022/2065 (Digital Services Act)
Supports the Commission designation mechanism, VLOP/VLOSE risk-assessment duties, mitigation duties, evidence preservation, and annual audit obligation.
European Commission - DSA: Very large online platforms and search engines
Explains enhanced VLOP/VLOSE duties including systemic risk assessment, audits, data access, non-profiling recommender options, and ad repositories.
Recommended next step

Convert DSA obligations into product, policy, and reporting records

Sorena can help turn this DSA checklist into a service-tier matrix, moderation evidence pack, transparency reporting map, and VLOP/VLOSE readiness file.

Research workflow
Open Research Copilot for DSA questions

Ask source-linked questions about DSA service classification, notices, statements of reasons, transparency reporting, ads, recommenders, marketplaces, and VLOP/VLOSE obligations.

Explore next step
Talk to Sorena
Talk through DSA implementation

Review your DSA obligation matrix, source gaps, and evidence records with Sorena.

Explore next step
Primary sources

References and citations

European Commission - DSA Transparency Database Q&A
digital-strategy.ec.europa.eu
Referenced sections
  • Explains which providers submit statements of reasons, what the database contains, and the API or webform submission options.
"publicly accessible and machine-readable"
Regulation (EU) 2022/2065 (Digital Services Act)
eur-lex.europa.eu
Referenced sections
  • Supports the Commission designation mechanism, VLOP/VLOSE risk-assessment duties, mitigation duties, evidence preservation, and annual audit obligation.
"Very large online platforms"
Related guides

Explore more topics

DSA Ads and Recommender Systems: transparency duties, user choice, and evidence
A grounded DSA guide to ad labels, targeting restrictions, recommender parameter disclosure, non-profiling options for VLOPs and VLOSEs, ad repositories, and compliance evidence.
DSA Applicability Test: classify intermediary services, platforms, marketplaces, VLOPs and VLOSEs
A source-grounded EU Digital Services Act applicability test for classifying intermediary services, hosting services, online platforms, marketplaces, VLOPs and VLOSEs.
DSA Article 28 minors protection guide for online platforms
EU Digital Services Act guide to Article 28 minors protection: platform scope, child-safety measures, targeted ads limits, recommender controls, and grounded evidence.
DSA average monthly active recipients: what platforms must publish
A grounded FAQ on average monthly active recipients under the EU Digital Services Act, including publication, EU recipient scope, the 45 million VLOP/VLOSE threshold, and evidence records.
DSA Complaint and Dispute Workflows for Online Platforms
Build DSA complaint, appeal, statement-of-reasons, and out-of-court dispute workflows for online platform moderation decisions.
DSA crisis response for VLOPs and VLOSEs
EU Digital Services Act crisis response guide for VLOPs and VLOSEs: Article 36 Commission decisions, Article 48 crisis protocols, mitigation, governance, requests for information, and records.
DSA Dark Patterns: interface design checks for online platforms
Article 25 DSA guidance for reviewing online platform interfaces for deceptive, manipulative, or choice-distorting design patterns.
DSA Enforcement and Penalties in the EU
How Digital Services Act enforcement works: Commission and Digital Services Coordinator roles, VLOP and VLOSE investigations, fines, periodic penalty payments, and evidence readiness.
DSA illegal content notices: what must be included?
A grounded FAQ on EU Digital Services Act illegal-content notices: Article 16 notice elements, acknowledgement, decision notices, trusted flagger priority, statements of reasons, and records.
DSA Marketplace Trader Traceability FAQ
Answer to what EU Digital Services Act Article 30 requires online marketplaces to collect, verify, display, retain, and evidence for trader traceability.
DSA Marketplace Trader Traceability Guide
EU Digital Services Act guide for online marketplaces collecting, checking, displaying, storing, and evidencing trader traceability information.
DSA notice and action plus statements of reasons guide
A grounded Digital Services Act guide for notice intake, moderation decisions, statements of reasons, DSA Transparency Database submission, complaints, appeals, trusted flaggers, and records.
DSA Notice and Action Workflow for Hosting Services and Online Platforms
A grounded DSA notice-and-action workflow covering notice intake, completeness checks, trusted flaggers, decisions, user communications, statements of reasons, appeals, and records.
DSA recommender transparency FAQ: Article 27 and VLOP options
What EU Digital Services Act recommender transparency requires: main parameters, user options, VLOP/VLOSE non-profiling choices, and evidence to keep.
DSA researcher data access for VLOPs and VLOSEs
Article 40 DSA guide to vetted researcher data access for VLOPs and VLOSEs: DSC requests, eligibility checks, amendment grounds, confidentiality, security, and evidence records.
DSA service tier classifier for platforms, marketplaces, VLOPs and VLOSEs
Classify a digital service under the EU Digital Services Act as intermediary, hosting, online platform, marketplace, VLOP or VLOSE, with EU recipient-count evidence and obligation outputs.
DSA statement of reasons FAQ
When DSA statements of reasons are required, what they must contain, when online platforms submit them to the DSA Transparency Database, and what appeal records to keep.
DSA statement of reasons log workflow for online platforms
Build a DSA statement of reasons log for moderation decisions, Transparency Database submission, complaint links, retention, and QA controls.
DSA transparency report template fields and cadence
A source-grounded template outline for Digital Services Act transparency reports, covering applicable service tiers, reporting periods, CSV/XLSX format, retention, statement-of-reasons links, and required evidence tables.
DSA Transparency Reporting Obligations by Provider Tier
A grounded guide to EU Digital Services Act transparency reports, active-recipient publication, statements-of-reasons submissions, VLOP/VLOSE reports, templates, cadence, and evidence.
DSA VLOP and VLOSE Risk Assessments and Mitigation Guide
Grounded guide to Digital Services Act systemic risk assessments, mitigation measures, audits, transparency reports, data access, and governance evidence for VLOPs and VLOSEs.
DSA VLOP Audit Pack Workflow: Risk, Mitigation, Audit, and Transparency Records
Build a DSA VLOP or VLOSE audit pack covering Article 34 risk assessments, Article 35 mitigations, independent-audit evidence, transparency reports, data access, and compliance governance.
DSA VLOP Risk Assessment FAQ: Article 34, Mitigation, Audits
What VLOPs and VLOSEs must assess under the EU Digital Services Act, when to reassess, how Article 35 mitigation and annual audit evidence fit together, and what records to keep.
DSA vs DMA Platform Rules
Compare the EU Digital Services Act and Digital Markets Act by scope, designation thresholds, obligations, enforcement, evidence, and practical team ownership.
DSA vs GDPR: online-platform governance and personal-data obligations
Compare the EU Digital Services Act and EU GDPR by scope, ads, recommenders, minors, transparency, complaints, enforcement, and evidence.
DSA vs P2B Regulation: EU platform obligations compared
Compare the EU Digital Services Act with the Platform-to-Business Regulation for platform scope, business-user terms, content moderation, ranking transparency, complaints, enforcement, and evidence.
DSA vs Terrorist Content Online Regulation: notice-and-action vs removal orders
Compare DSA content-governance duties with the EU Terrorist Content Online Regulation removal-order workflow for scope, timing, evidence, authorities, and team ownership.
EU Digital Services Act Compliance Guide
DSA compliance guide for intermediary services, hosting providers, online platforms, marketplaces, and VLOP/VLOSE teams: obligations, controls, and evidence to keep.
EU Digital Services Act FAQ: DSA scope, platform duties, VLOPs, reports, and penalties
Concise EU Digital Services Act FAQ covering intermediary-service scope, active-recipient thresholds, illegal-content notices, statements of reasons, trader traceability, recommender transparency, systemic-risk duties, reporting, penalties, and complaints.
EU Digital Services Act penalties and fines: caps and enforcement roles
DSA penalty caps and enforcement roles: Member State fines, Commission fines for VLOPs and VLOSEs, 1% procedural fines, and 5% periodic penalty payments.
EU Digital Services Act requirements by service tier
Overview of DSA obligations for intermediary services, hosting providers, online platforms, marketplaces, VLOPs and VLOSEs, including notices, complaints, ads, transparency reports, audits, data access and enforcement.
EU Digital Services Act service types and scope
Classify DSA service scope across mere conduit, caching, hosting, online platforms, marketplaces, online search engines, and VLOP/VLOSE threshold duties.
EU DSA deadlines and compliance calendar: application dates, reporting cycles, and VLOP clocks
Calendar view of grounded EU Digital Services Act dates: full application, user-number publication, VLOP/VLOSE designation clocks, statements of reasons, and transparency reporting cycles.
EU DSA Transparency Calendar: reporting, SoR database, AMAR updates
Build a DSA transparency calendar for annual reports, statement-of-reasons database submissions, active-recipient updates, and VLOP/VLOSE audit touchpoints.
EU DSA vs UK Online Safety Act: scope, duties, regulator, and evidence
Compare the EU Digital Services Act and UK Online Safety Act for platform scope, risk assessments, child protection, transparency, regulators, enforcement, and owners.